Energy firms' security so POOR, insurers REFUSE to take their cash

Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.

Lloyd's of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.

"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London, told the Beeb. "They are all worried about their reliance on computer systems and how they can offset that with insurance."

Infosec experts called in to review energy sector systems come back with negative reviews. And that means offering "safety net" insurance against breaches is not viable as a business proposition."We would not want insurance to be a substitute for security," Khudari explained.....More and more problems are being discovered in crucial systems that are rarely patched and this creates a recipe for disaster.

Jonathan Roach, principal security consultant at Context Information Security, told El Reg: "SCADA systems have not been patched in years for various reasons: isolation of SCADA networks making the process of patching awkward; lack of motivation to perform what is sometimes seen as a risky process to a critical plant component; terms of software support contracts"....."Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home," McIntosh said. "According to a recent Zpryme Research study, half of infrastructure providers in the US believed electrical networks were insecure.